How to Protect Your WordPress Blog Against Brute Force Attacks

Yesterday security experts warned of a large distributed botnet attack against WordPress sites. From ArsTechnica:

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported.

This doesn’t mean that WordPress is inherently insecure. However with the vast WordPress install base, it is a big target for a large level attack. Also, since many users have self-hosted WordPress, and either never updated, or are using “Admin” as their username along with a password that is not complex enough, like “P@ssw0rd” or other easily guessed passwords, they are open to attack.

At BlogWranglers, we install, support and move a large number of WordPress sites. If you are concerned that your site may have been hacked, or if you want a quick security audit to make sure it’s as safe as possible, we can help.

If you have a WordPress site, here are a few steps you can take yourself:

Make sure your site is up to date with the latest WordPress code. Remember backup first. Then upgrade plugins.

Change your password (and ALL passwords for your site ) to something that uses at least 8 characters, including numbers, symbols and uppercase.

Do not use “Admin” as your user name for any account. If you do, set up a new administrator account and delete the admin user. There are also plugins to do this.

You can install a second layer of security by installing an htaccess password. Instructions here.

Here is a list of some of the most commonly guessed passwords. Don’t use these or anything like them.

admin

admin123

123456

123123

123456789

password

1234

root

1234567

12345

qwerty

welcome

pass

abc123

12345678

1111

test

monkey

iloveyou

dragon

demo

By contrast, your password should not be short. It should not be so complex that you can not use it or remember it. And wouldn’t it be great if it is easy to enter?

The solution that works for me is a password manager. I use RoboForm. This password manager allow me to use super complex passwords that are long. Entering them is a click of a button. RoboForm attaches to my browser and is always available to capture and store and then enter passwords based on the URL. I have complete control and nothing automagically scary happens. It will even work with desktop applications. RoboForm is also great for filling in forms with a click. I have over 800 passwords and could not function without it, let alone be secure. Check out RoboForm.

If you need our help, we have engineers standing by ready to help you. Contact us now!